Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix Bug: auth-profiles.json field name `api_key` silently ignored — correct field is `key` [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#57389Fetched 2026-04-08 01:50:16
View on GitHub
Comments
0
Participants
1
Timeline
2
Reactions
0
Author
zeeyuu222zeeyuu222
Participants
zeeyuu222zeeyuu222
Timeline (top)
cross-referenced ×1referenced ×1

When configuring auth-profiles.json with "api_key" as the field name for API key credentials, the key resolution silently fails. The correct field name is "key", but this is not documented and there is no validation error — the profile is simply skipped.

This causes downstream features (e.g., LCM plugin compaction, embedded agent runs) to fail with a misleading error:

modelAuth.resolveApiKeyForProvider FAILED: No API key found for provider "<provider>"

Error Message

When configuring auth-profiles.json with "api_key" as the field name for API key credentials, the key resolution silently fails. The correct field name is "key", but this is not documented and there is no validation error — the profile is simply skipped. This causes downstream features (e.g., LCM plugin compaction, embedded agent runs) to fail with a misleading error: 3. Validate auth-profiles.json on load and warn when unrecognized fields are present

Root Cause

In the bundled runtime, resolveApiKeyForProfile reads:

  • cred.key for inline API keys
  • cred.keyRef for SecretRef-based keys

But the field "api_key" in the JSON is not mapped to either property. resolveProfileSecretString receives undefined for both value and valueRef, returns null, and the profile is skipped without any warning.

The call chain:

resolveApiKeyForProvider
  → resolveAuthProfileOrder (filters eligible profiles)
    → resolveApiKeyForProfile
      → resolveProfileSecretString(cred.key, cred.keyRef)
        → both undefined → returns null → profile skipped

Fix Action

Workaround

Change "api_key" to "key" in all auth-profiles.json files:

{
  "profiles": {
    "my-key": {
      "type": "api_key",
      "provider": "my-provider",
      "key": "sk-xxxx"
    }
  },
  "order": {
    "my-provider": ["my-key"]
  }
}

PR fix notes

PR #57418: fix(auth-profiles): accept 'api_key' as alias for 'key' in auth-profiles.json

Description (problem / solution / changelog)

Summary

When configuring auth-profiles.json with type: "api_key", users naturally use "api_key" as the field name for the API key value. However, the code only recognized "key" and "apiKey" (camelCase) as valid field names, causing silent resolution failures with no warning.

Changes

Adds "api_key" (snake_case) as a recognized alias in normalizeRawCredentialEntry, matching the existing "apiKey" (camelCase) alias pattern.

Root Cause

resolveProfileSecretString receives undefined for both cred.key and cred.keyRef when "api_key" is used, silently skipping the profile.

Fixes #57389

Changed files

  • openclaw-2026-03-30.log (added, +989/-0)
  • src/agents/auth-profiles/store.ts (modified, +4/-1)

Code Example

modelAuth.resolveApiKeyForProvider FAILED: No API key found for provider "<provider>"

---

{
  "models": {
    "providers": {
      "my-provider": {
        "baseUrl": "http://localhost:8080",
        "apiKey": "sk-xxxx"
      }
    }
  }
}

---

{
  "profiles": {
    "my-key": {
      "type": "api_key",
      "provider": "my-provider",
      "api_key": "sk-xxxx"
    }
  },
  "order": {
    "my-provider": ["my-key"]
  }
}

---

resolveApiKeyForProvider
resolveAuthProfileOrder (filters eligible profiles)
    → resolveApiKeyForProfile
resolveProfileSecretString(cred.key, cred.keyRef)
        → both undefined → returns null → profile skipped

---

{
  "profiles": {
    "my-key": {
      "type": "api_key",
      "provider": "my-provider",
      "key": "sk-xxxx"
    }
  },
  "order": {
    "my-provider": ["my-key"]
  }
}
RAW_BUFFERClick to expand / collapse

Summary

When configuring auth-profiles.json with "api_key" as the field name for API key credentials, the key resolution silently fails. The correct field name is "key", but this is not documented and there is no validation error — the profile is simply skipped.

This causes downstream features (e.g., LCM plugin compaction, embedded agent runs) to fail with a misleading error:

modelAuth.resolveApiKeyForProvider FAILED: No API key found for provider "<provider>"

Environment

  • OpenClaw: 2026.3.24 (also affects 2026.3.28)
  • OS: Linux (Ubuntu)
  • Plugin: @martian-engineering/lossless-claw v0.4.0 (triggers the issue via modelAuth.resolveApiKeyForProvider)

Steps to Reproduce

  1. Configure a custom provider in openclaw.json:
{
  "models": {
    "providers": {
      "my-provider": {
        "baseUrl": "http://localhost:8080",
        "apiKey": "sk-xxxx"
      }
    }
  }
}
  1. Set up auth-profiles.json for any agent:
{
  "profiles": {
    "my-key": {
      "type": "api_key",
      "provider": "my-provider",
      "api_key": "sk-xxxx"
    }
  },
  "order": {
    "my-provider": ["my-key"]
  }
}
  1. Any feature that calls resolveApiKeyForProvider("my-provider") fails silently.

Root Cause

In the bundled runtime, resolveApiKeyForProfile reads:

  • cred.key for inline API keys
  • cred.keyRef for SecretRef-based keys

But the field "api_key" in the JSON is not mapped to either property. resolveProfileSecretString receives undefined for both value and valueRef, returns null, and the profile is skipped without any warning.

The call chain:

resolveApiKeyForProvider
  → resolveAuthProfileOrder (filters eligible profiles)
    → resolveApiKeyForProfile
      → resolveProfileSecretString(cred.key, cred.keyRef)
        → both undefined → returns null → profile skipped

Expected Behavior

Either:

  1. Document that the correct field name is key (not api_key) in auth-profiles.json
  2. Accept both api_key and key as valid field names with a normalization step
  3. Validate auth-profiles.json on load and warn when unrecognized fields are present

Option 3 would have saved significant debugging time — the silent failure made this very hard to diagnose.

Workaround

Change "api_key" to "key" in all auth-profiles.json files:

{
  "profiles": {
    "my-key": {
      "type": "api_key",
      "provider": "my-provider",
      "key": "sk-xxxx"
    }
  },
  "order": {
    "my-provider": ["my-key"]
  }
}

Impact

  • Any user setting up auth profiles with "api_key" (the intuitive name matching the profile type: "api_key") will hit this silently
  • LCM plugin compaction fails without visible errors in chat — summaries simply stop being generated
  • Embedded agent runs may fail or fall back unexpectedly
  • Main conversation flow is unaffected if models.providers.*.apiKey is also configured, which masks the auth-profiles bug further and delays discovery

extent analysis

Fix Plan

To resolve the issue, update the auth-profiles.json file to use the correct field name "key" instead of "api_key".

  • Replace "api_key" with "key" in all auth-profiles.json files:
{
  "profiles": {
    "my-key": {
      "type": "api_key",
      "provider": "my-provider",
      "key": "sk-xxxx"
    }
  },
  "order": {
    "my-provider": ["my-key"]
  }
}

Alternatively, you can modify the resolveApiKeyForProfile function to accept both "api_key" and "key" as valid field names. This can be achieved by adding a normalization step:

function resolveApiKeyForProfile(cred) {
  const key = cred.key || cred.api_key;
  // ...
}

Verification

To verify that the fix worked, check the following:

  • The modelAuth.resolveApiKeyForProvider function no longer returns an error.
  • Downstream features such as LCM plugin compaction and embedded agent runs are working as expected.
  • The auth-profiles.json file is correctly parsed and the API key is resolved.

Extra Tips

  • It's recommended to add validation to the auth-profiles.json file to warn about unrecognized fields.
  • Consider documenting the correct field name "key" in the auth-profiles.json file to avoid similar issues in the future.
  • When debugging similar issues, check the field names in the configuration files and verify that they match the expected names in the code.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#SSR setup#ISR setup#authentication setup#request error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING